where you able to get this to work the way you wanted? This look like a scenario I've been asked to research for us as well. We had EEPC 5.1.8 deployed with autoboot enabled, and I want to automatically encrypt USB devices without a user prompt. I think I understand the policy that needs to be created for EEFF, but I wasn't sure which users get the policy. The autoboot users?
See the above reply from SafeBoot -- autoboot users don't work with EEFF.
I'm not sure where we are going to go with this. Management has got the idea from the sales pitch that EERM USB encryption will be clean and simple but it's definitely not when you're, like us, using autoboot rather than "real" EEPC IDs.
I have a pilot starting (using EEM_523 & EEFF_324) where I will have CD/DVD media created with the self-extractor and USB drives encrypted with EERM. Workstations are shared with only some of the users in the pilot. I need a way to load the EEFF/EERM client on the users systems but not have the user forced to log on so that non-pilot users don’t see any change.
I created a policy group (NoLogon) with the following configuration. GENERAL tab options "Show About option on system tray menu" and "Disable forcing of logon on first boot" set – everything else unchecked. FILE EXTENSIONS tab blank. FOLDERS tab blank. REMOVABLE MEDIA tab option "Use no removable media" set. CD/DVD ENCRYPTION tab options cleared. KEY MANAGER tab options cleared. USER LOCAL KEYS tab options cleared. ENCRYPTION OPTIONS tab option "Preserve file times" set and all other items cleared. NETWORK tab options cleared. I used this policy to build an installation kit for the client systems.
When installed on the client system, I can log on and not receive any McAfee logon window. Next a pilot user logs on to the workstation, forces a Synchronize using the system tray icon menu, logs on to EE and receives their policy. I know they received a new policy because the context sensitive menu now shows them the McAfee Endpoint Encryption item. The pilot user’s policy includes REMOVABLE MEDIA tab options "Use McAfee Endpoint Encryption for Removable media (EERM)", "Use Recovery Key" (with key named "Default", (Protected Area) "Entire Device", and "Exclude devices larger than 16384 MB" set – all other options cleared. However, inserting a USB drive does nothing. EERM never seems to get triggered.
The only way that I can get EERM working again is to remove/uninstall the client software from Add/Remove programs and then install the alternate kit built from a policy that included the EERM options.
Is there a way to set the EERM policy to load for the pilot users while still keeping the installation kit set to not require logins to EE?
Remember that EEFF requires two reboots to really work:
After the code install, REBOOT. Then, after the (user) policy is downloaded (synced) for the first time, REBOOT again.
THEN, finally, EERM will work.
There may be something else going on here if you are also running McAfee's AV. At least in our installation (8.5 with anti-spyware), Access Protection prevents EERM from installing its filter driver, causing exactly your symption -- nothing happens when you insert a USB stick. To work around this, you can either temporarily disable Access Protection during the installation or make sure your installer is named xxxsetup.exe where "xxx" is zero to 3 characters -- such a name is already excluded from Access Protection by default.
Please note that the EEFF uninstaller name is hardcoded in the product and does not match the pattern above so uninstall will not work without disabling Access Protection. Alternatively, you can add an exclusion to Access Protection for the EEFF uninstaller's name.
You can check to see whether Access Protection is causing a problem by opening the Viruscan Console and then right clicking on Access Protection in order to view its log.
I tested both items today. It looks like the problem was caused by the Access Protection in McAfee VirusScan. I disabled Access Protection (I'm allowed a 5 minute disable in the ePO policy) then uninstalled EEFF - rebooted - (disabled Access Protection again) reinstalled the NoLogon EEFF client kit and again rebooted. When I log on to the workstation using my windows pilot-test account I do not get prompted for EEFF credentials. I can force a Synchronize and logon to an EEFF account that is allowed EERM use and it works great. I can then synchronize again and logon to an EEFF account in the NoLogon group and the EERM software no longer gets triggered. I can synchronize/logon back and forth with the EERM allowed and EERM not-allowed accounts and it is working as I had expected. I can also log on to the workstation with a different Windows user and not receive any EEFF prompt regardless of how my pilot-test user was last logged on to EEFF (allowed/not-allowed).
For the actual pilot deployment, do I just need to have our ePO administrator exclude the client installation kit (I named it EEFF-Setup-Pilot-Phase-1.exe) from the Access Protection rule/policy?
Thanks for the assistance!!
I can't comment on all the details of how you're using EEFF/EERM, but as far as I know, an Access Protection exclusion for the installation should work. A couple of suggestions: 1) use wild card(s) in the exclusion so that you don't need a new exclusion for later versions, and 2) also add an exclusion for the uninstall program (SbCeSetup.Exe) so that the product can be uninstalled without stopping Access Protection.
Sean, I wrote instructions for this here http://community.mcafee.com/blogs/danlarson/2010/02/15/use-case-setup-eerm-without-user-accounts
I also have a demo video here http://www.youtube.com/watch?v=Hd6GDxJIBGo that shows how to setup EERM without user interaction.
If it doesn't work after following these steps, then we have a bug or some kind of incompability problem.